[squid-users] SSL sites bypass authentication

From: Milen Pankov <mail_at_milen.pankov.eu>
Date: Mon, 19 Mar 2012 01:33:52 +0200

Hi,

I have been using squid with basic authentication from quite some time
without problems while recently I discovered that anyone can open https
addresses trough the proxy without authenticating. If someone refuses
the authentication dialog (clicks on Cancel) and receives a squid access
denied error page after that he can type an https address in the address
bar and it will open fine. I can't seem to find something wrong with the
configuration and I can't seem to find any info on this behavior
anywhere. Would appreciate if someone helps. I am using squid 3.1.6.
Here is the relevant part of the configuration:

auth_param basic program /usr/lib/squid3/squid_db_auth --dsn
"DBI:mysql:host=myhostname:database=mydatabase" --user "myuser"
--password "mypassword" --table "myusers" --usercol "myusername"
--passwdcol "mypassword" --cond "cond1=0 and cond2=1" --md5 --persist
auth_param basic children 5
auth_param basic realm HTTP Proxy
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive on
acl db_auth proxy_auth REQUIRED
authenticate_ip_ttl 10 minutes
acl only_one_conn max_user_ip -s 1
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny only_one_conn
http_access allow db_auth
http_access deny all

Thanks,
Milen
Received on Sun Mar 18 2012 - 23:38:45 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 20 2012 - 12:00:04 MDT